PSA: HTML injection in chrome documents is now automatically sanitized

Kris Maglione kmaglione at
Fri Feb 2 07:13:03 UTC 2018

As of bug 1432966, any HTML injected into chrome-privileged documents[1] is 
automatically sanitized to remove any possibility of script execution. The 
sanitization is whitelist-based, and only allows a limited set of HTML 
elements and attributes. All scripts, XUL nodes, or privileged URLs will 
automatically be removed. This change has been uplifted all the way to 58 

If you're thinking about writing new code that injects HTML strings into 
chrome-privileged documents, please think again. Unless it's extremely simple, 
it probably won't be compatible with these changes (and will also be rejected 
by our default ESLint rules).

Existing HTML injection in chrome documents is being gradually removed. Once 
that's done, the sanitization may be replaced with an outright prohibition.


[1]: Using the usual HTML fragment creation methods such as `innerHTML`, 
`outerHTML`, `insertAdjacentHTML`, and `createContextualFragment`. Not, 
notably, when using document.write().

More information about the firefox-dev mailing list